BW5.X - Security - How to use HTTP Basic Authentication in BusinessWorks 5.X

It is possible to use HTTP Basic Authentication in BusinessWorks 5.X while acting both as an HTTP server and an HTTP client.

Basic Authentication in an HTTP Server application

When using Basic Authentication in a BusinessWorks 5.X application acting as an HTTP server the identity referential that is used by BusinessWorks is the Domain where the application is running, in other words the user / password credentials presented by client applications are verified by the BusinessWorks server application against the Domain users.

Domain users are managed with TIBCO Administrator in the ‘User Management -> Users’ tab.

Users can be created from that tab or synchronized from an LDAP server (generally the Enterprise Active Directory server).

To enable Basic Authentication in an HTTP Receiver activity you just need to check the ‘HTTP Authentication’ option in the Configuration tab of the activity, it is also recommended to check the ‘Expose Security Context’ option (see explanations at the end of the article):

Basic Authentication in an HTTP client application

You first have to create an Identity resource of type User / Password and set the user name and the corresponding password :

Then you have to configure the ‘Send HTTP Request’ activity to use basic authentication and the credentials set in the Identity resource.

To change the credentials (user name and password) dynamically at runtime you can take the approach to create the ‘Authorization’ header by yourself in the Input mapping of the activity, the header value can be created using an XPATH similar to the one below:

concat(“Basic “,tib:string-to-base64(concat($_globalVariables/ns:GlobalVariables/BasicAuth/User,”:”, “MyPass”)))

Testing a client application in Designer

To be able to test an application using Basic Authentication in an HTTP client activity you need to do the following:

1) Copy the <TRA_Home>/domain/<domain_name>/AuthorizationDomain.properties from the target domain to <TIBCO_HOME>/tra/5.x on local machine.

2) Make sure the file <TIBCO_HOME>/tra/domain/DomainHomes.propertise exists. If not, copy it from the target domain to local machine.

More details are available in the following TIBCO KB article:

https://support.tibco.com/s/article/Tibco-KnowledgeArticle-Article-39055

An important thing to keep in mind

When multiple applications are exposing multiple end points using Basic Authentication to filter client calls any authenticated user in the target Domain can access all the endpoints.

It is then recommended to check in each BusinessWorks server application that the user is authorized to access the managed endpoints, in other words authorizations have to be managed in the logic of the BusinessWorks applications.

When checking the ‘Expose Security Context’ option the user name is available in the Output of the ‘HTTP Receiver’ activity:

Using Basic Authentication in Postman

It is possible to test Basic authentication from Postman using the Authorization tab with Type ‘Basic Auth’:

Using Basic Authentication with SOAP server and client applications

The elements above apply to Inbound and Outbound Security Policies that can be used to secure SOAP End Points exposition (SOAP Server) and SOAP calls (SOAP Client).